Thursday, October 23, 2014

From click to pwned

This is part 1 in a series investigating a particular piece of malware.
  • Part 1 looks at how the malware is delivered. It and part 2 were originally a single post, later separated since they look at distinct phases in the attack.
  • Part 2 analyzes the bot - the agent which turns your computer into a remotely-controlled robot doing the attacker's bidding.
  • Part 3 dives into the first payload: code to test 30,000 addresses at 5,000 domains, to see if they could be used to send additional spam.

Malware writers and scammers have a number of tricks up their sleeves, all with the goal of making your computer become their computer. Some tactics involve technology, some involve sleight-of-hand (sleight-of-mouse?), some involve social engineering, and some involve a combination of factors. I received an email scam that slipped past my spam filters and that exhibited a combination of old and new tactics, so took some time to break it apart.

If you don't want to read through the technical details, here's the short version: don't click links or open attachments in unexpected email, don't trust email from an unknown or uncertain source, and be aware that there are lots of ways to make a malicious link look legitimate. In short, don't click the link.

Today's story starts with a relatively run-of-the-mill scam approach: an email claiming to "confirm" a purchase transaction, and offering a link (or sometimes attachment) to view an invoice or details of the purchase. These often appear to come from random email addresses, and frequently are very generic. This is the approach perfected by Gameover Zeus, the botnet temporarily disrupted earlier this year. The email does not have to be elaborate. It doesn't try to mimic a legitimate business, or to target customers of a specific company. Instead the campaign relies on sheer volume: send out a bogus email to millions of harvested email addresses, expect that some percentage will make it through spam filters, and that some percentage of recipients will click the link. Some portion of the population will always click, and even the most observant can have a bad day. Out of ten million emails sent, perhaps ten thousand people will click the link and download the malware. In the first few hours of a campaign, very few anti-virus programs will recognize the download as malicious, so many of those 10,000 downloads will result in infected PCs. Even 5 days after I first saw this particular payload, barely 2/3 of common antivirus products detect this payload as malicious.

It's a psychological ploy: if you receive a "thank you for your purchase" message and you didn't purchase something, what's your first reaction? Instinct says to pull up the invoice and see what you supposedly purchased, and from whom. It's far safer to check your bank and credit card accounts for pending transactions - a real purchase will almost always result in a pending charge before the merchant completes the sale and sends a confirmation.


Much similar spam this year has included an attachment (often in the form of a PDF or SCR file - the former being Adobe Reader, and the latter being a sometimes ignored screen saver executable), or a link to the same on DropBox: cloud storage makes sharing legitimate files easy, but it also make sharing malicious files easy as well. This email instead looks like a link to Google. It's a subtle way to get past the slightly observant user (who may by now be conditioned to be suspicious of random links or of DropBox, but not so of Google). This link makes use of Google's redirector function. Redirection has some legitimate (depending on your level of paranoia) uses - it allows hiding search terms when you click on a search result; it enables Google to display previews of various document formats by redirecting the link through their document engine; and it is used in Google analytics and advertising campaigns.

In essence, this link says "hey Google, send me to copy.com/[redacted]/Package_FLLG.PDF" [URL changed to avoid accidentally embedding a malicious link in my post]. Google has some logic to prevent use in this manner - if all the attacker does is link to Google and provide some random url, you will get a warning from Google:

[ https://www.google.com/url?q=http://yahoo.com ]


However, Google apparently relies on the "usg=" parameter at the end of the link to validate a "safe" redirection. If the attacker is able to generate a correct usg value, Google will happily perform the redirection without any warning. In this case, the attacker did generate a correct usg value, and so the link seamlessly ends up at the malicious download.

Once downloaded and run, this malware installs itself on your computer and joins your computer to the attacker's botnet. From this point on, the computer no longer belongs to you. For reference, most AV programs now detect this as a generic trojan; Microsoft and TotalDefense call it Gamarue; AVG and Avira call it various Crypt or Kryptic strains.



The story is continued in part 2, analyzing the downloaded file and the actions it takes as a bot agent.